IEOC - Internetwork Expert's Online Community

Hi folks,

Is the following class-map able to pick up "all ASPX pages to/from test.com" ?

class-map match-all TEST
 match protocol http url "*.aspx"
 match protocol http url "*test.com*"


Thanks
Cheers,
K.

Hi K,

Should be, I would add another * at the end on the .aspx and make it match protocol http url "*.aspx*", then I would telnet on port 80 from another router. After you type: GET blablatest.com/testtest.aspx HTTP/1.1 and hit enter. 

If it comes right back with an error, then it did not hit the class map, if it hangs for a while, then SCORE! :)

-Andrei

Thanks mate, 

So in this case is there any difference between

 match protocol http url "*test.com*"

and 

 match protocol http host "*test.com*"

?

Thanks
Cheers,
K.

As far as I know there is. When you use the "host" keyword, NBAR will do a reverse lookup on the destination IP of the webserver, therefor you need ip domain-lookup enabled and a valid dns server configured for that to work properly.

Let's say you're trying to hit http://1.1.1.1/test.aspx

If for example 1.1.1.1 resolves to webserver.test.com then it will hit the policy. I would stay away from the host keyword since you're relying on a DNS server, if a task would require you to use host for some strange reason you have to enable all the DNS stuff as well. I could be wrong though

-Andrei

This is not the way I understand "match protocol http host"  the idea is to match the host field in the HTTP header not an ip address (unless you specified an IP address).  So the main HTTP request is a GET.  its the main one because it is the only one I know :-)

Anyway the get method is well know and has specific fields to match on...for example

I did two quick wireshark captures using firefox to download this page

Here is the http get request for http://ieoc.com/forums/t/7029.asp

GET /forums/t/7029.aspx HTTP/1.1
Host: ieoc.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie:

Here is the http get request for.http://24.176.176.190/forums/t/7029.aspx

GET /forums/t/7029.aspx HTTP/1.1
Host: 24.176.176.190
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie:

So is there a difference between

match protocol http url "ieoc.com"
and
match protocol http host "ieoc.com"

From the doc cd----Classifying Network Traffic Using NBAR

"When specifying a URL for classification, include only the portion of the URL that follows the www.hostname.domain in the match statement. For example, for the URL www.cisco.com/latest/whatsnew.html, include only /latest/whatsnew.html with the match statement (for instance, match protocol http url /latest/whatsnew.html)............Host specification is identical to URL specification. NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host. For example, for the URL www.cisco.com/latest/whatsnew.html, include only www.cisco.com."

You can also see the mine type in the capture above text/html and user-agent Mozilla etc...which might help in understanding the command reference. 

Lastly keep in mind that I only pasted the request the http header coming back from the server looks different.

HTH

HTTP header coming back from server

HTTP/1.1 401 Unauthorized
Content-Length: 1608
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Fri, 03 Jul 2009 23:32:50 GMT

Very cool. Did not know that. Thanks for the sniffer logs John!

Cool website that will dynamically let you look at the http headers...no sniffer needed....http://www.httpviewer.net/

Kami:

So in this case is there any difference between

match protocol http url "*test.com*"

and

match protocol http host "*test.com*"

?

YES there is a difference between host and url and direction DOES matter
Summary of a very long but quick post...My Conclusion is that URL should NOT be used to match on host name (google in this case), but read the rest and judge for yourself. 

Testing procedure below

Topology
PC--------fa0/0-Router-Dial0------Internet

MYROUTER#sho ver
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(25a), RELEASE SOFTWARE (fc2)

1.  TEST.....match protocol http host "*google*" ....outbound to Internet (inbound on fa0/0)

class-map match-all WWW
 match protocol http host "*google*"
  
policy-map MARK_WWW
 class WWW
  set precedence 3

interface FastEthernet0/0
 service-policy input MARK_WWW

A. Surf to http://www.google.com from pc
MYROUTER#sho policy-map int fa0/0
 FastEthernet0/0
  Service-policy input: MARK_WWW
    Class-map: WWW (match-all)
      14 packets, 3557 bytes                                                         
      5 minute offered rate 2000 bps, drop rate 0 bps
      Match: protocol http host "*google*"
      QoS Set
        precedence 3
          Packets marked 14                                                                      <-----matches on host (but wireshark caught around 30 packets)

    Class-map: class-default (match-any)
      22 packets, 1620 bytes                                                                   <----- pretty quiet network --- some of this is telnet
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
B. Surf to http://www.google.com/google from pc
MYROUTER#clear counters fa0/0   <------- Counters CLEARED
Clear "show interface" counters on this interface [confirm]
MYROUTER#sho policy-map int fa0/0
 FastEthernet0/0
  Service-policy input: MARK_WWW
    Class-map: WWW (match-all)
      7 packets, 1916 bytes                                                                     <------- Still making matches but a google returns 404 so not a lot of data
      5 minute offered rate 1000 bps, drop rate 0 bps
      Match: protocol http host "*google*"
      QoS Set
        precedence 3
          Packets marked 7
    Class-map: class-default (match-any)
      24 packets, 1881 bytes
      5 minute

2.  TEST.....match protocol http url "*google*" ....outbound to Internet (inbound on fa0/0)

class-map match-all WWW
match protocol http url "*google*"

A. Surf to http://www.google.com from pc
MYROUTER#clear counters fa0/0   
Clear "show interface" counters on this interface [confirm]
MYROUTER#sho policy-map int fa0/0
 FastEthernet0/0
  Service-policy input: MARK_WWW
    Class-map: WWW (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*google*"  
      QoS Set
        precedence 3
          Packets marked 0                                                    <--------- Nothing URL not good for matching www.google.com

    Class-map: class-default (match-any)
      28 packets, 4505 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
MYROUTER#
B. Surf to http://www.google.com/google from pc
MYROUTER#clear counters fa0/0    <------- Counters CLEARED
Clear "show interface" counters on this interface [confirm]
MYROUTER#sho policy-map int fa0/0
 FastEthernet0/0
  Service-policy input: MARK_WWW
    Class-map: WWW (match-all)
      4 packets, 986 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*google*"
      QoS Set
        precedence 3
          Packets marked 4                                                                       <--------- some matches similiar to above (Wireshark had around 17 total packets)

    Class-map: class-default (match-any)
      8 packets, 628 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
3.  TEST.....match protocol http ....outbound to Internet (inbound on fa0/0)
class-map match-all WWW
match protocol http                                                                <-------Just to stay sane a little simpler please
A. Surf to http://www.google.com from pc
MYROUTER#sho policy-map int fa0/0
 FastEthernet0/0

  Service-policy input: MARK_WWW

    Class-map: WWW (match-all)
      13 packets, 3495 bytes                                                      

 5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        precedence 3
          Packets marked 13                                                             <--almost identical to "host" above

    Class-map: class-default (match-any)
      21 packets, 1656 bytes                                           <--almost identical to "host" above
       5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
MYROUTER#
B. Surf to http://www.google.com/google from pc
MYROUTER#sho policy-map int fa0/0
 FastEthernet0/0
  Service-policy input: MARK_WWW
    Class-map: WWW (match-all)
      7 packets, 1166 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        precedence 3
          Packets marked 7                                           

    Class-map: class-default (match-any)
      17 packets, 1156 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
MYROUTER#